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Answer: C 


QUESTION: 173 

You are the systems administrator of a large organization that has recently implemented 
Windows Server 2008 R2. You have a few remote sites that do not have very tight security. 
You have decided to implement read-only domain controllers (RODC). 

What forest functional levels does the network need for you to do the install? (Choose 
Three) 


A. Windows 2000 Mixed 
B. Windows 2008 R2 

C. Windows 2003 

D. Windows 2008 


Answer: B, C, D 


Explanation: 

http://technet.microsoft.com/en-us/library/cc73 1243%28v=ws.10%29.aspx 

Prerequisites for Deploying an RODC 

Ensure that the forest functional level is Windows Server 2003 or higher. 

Deploy at least one writable domain controller running Windows Server 2008 or Windows 
Server 2008 R2 in the same domain as the RODC and ensure that the writable domain 
controller is also a DNS server that has registered a name server (NS) resource record for 
the relevant DNS zone. An RODC must replicate domain updates from a writable domain 
controller running Windows Server 2008 or Windows Server 2008 R2. 


QUESTION: 174 

Your network contains an Active Directory domain. The domain contains several domain 
controllers. All domain controllers run Windows Server 2008 R2. You need to restore the 
Default Domain Policy Group Policy object (GPO) to the Windows Server 2008 R2 default 
settings. What should you do? 


A. Run degpofix.exe /target:dc. 

B. Run degpofix.exe /target:domain. 

C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe 
/force. 

D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe 
/sync. 


Answer: B 


QUESTION: 175 

Your network contains an Active Directory forest named contoso.com. The domain 
contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. 
DC2 holds the PDC emulator role. 

The power supply on DC2 fails. 

You seize the PDC emulator role to DC1. You replace the power supply on DC2. 

You need to bring DC2 back online as the PDC emulator as soon as possible. The solution 
must minimize the disruption of services for users. 

What should you do? 


A. Connect DC2 to the network. Turn on DC2, and then transfer the PDC emulator role. 

B. Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controller. 
Transfer the PDC emulator role. 

C. Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controller. Seize 
the PDC emulator role. 

D. Disconnect DC2 from the network. Turn on DC2, and then seize the PDC emulator role. 
Connect DC2 to the network. 


Answer: A 


QUESTION: 176 

Your network contains a single Active Directory domain. The domain contains five read- 
only domain controllers (RODCs) and five writable domain controllers. All servers run 
Windows Server 2008. 

You plan to install a new RODC that runs Windows Server 2008 R2. 

You need to ensure that you can add the new RODC to the domain. You want to achieve 
this goal by using the minimum amount of administrative effort. 

Which two actions should you perform? (Each correct answer presents part of the solution. 
Choose two.) 


A. From Active Directory Domains and Trusts, raise the functional level of the domain. 
B. At the command prompt, run adprep.exe /forestprep. 

C. From Active Directory Users and Computers, pre-stage the RODC computer account. 
D. At the command prompt, run adprep.exe /domainprep. 

E. At the command prompt, run adprep.exe /rodcprep. 


Answer: C, D 


Explanation: 
C: 
* During the first stage of the installation, the wizard records all the data about the RODC 


that will be stored in the distributed Active Directory database, including the read-only 
domain controller account name and the site in which it will be placed. This stage must be 
performed by a member of the Domain Admins group. 

* To create an RODC account by using the Windows interface 

Click Start, click Administrative Tools, and then click Active Directory Users and 
Computers. 

Double-click the domain container, then you can either right-click the Domain Controllers 
container or click the Domain Controllers container, and then click Action. 

Click Pre-create Read-only Domain Controller account 


QUESTION: 177 

Your network contains an Active Directory domain named contoso.com. All domain 
controllers run a Server Core installation of Windows Server 2008 R2. You need to identify 
which domain controller holds the PDC emulator role. Which tool should you run? 


A. Get-AdForest 

B. Netdom.exe 

C. Get-AdOptionalFeature 
D. Query.exe 


Answer: B 


QUESTION: 178 

Your network contains an Active Directory domain. 

You need to activate the Active Directory Recycle Bin in the domain. Which tool should 
you use? 


A. Dsamain 

B. Add-PSSnapin 

C. Enable-ADOptionalFeature 
D. Add-WindowsFeature 


Answer: C 


Explanation: 

You can enable Active Directory Recycle Bin by using the following methods: 

* Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended 
method.) 

* Ldp.exe Note: 

Before you can make the recycle bin available, you must first update Active Directory 
schema with the required attributes. When you do this, the schema is updated, and then 
every object in the forest is updated with the recycle bin attributes as well. This process is 


irreversible once it is started. 


QUESTION: 179 

Your network contains 50 domain controllers that runs Windows Server 2008 R2. 

You need to create a script that resets the Directory Services Restore Mode (DSRM) 
password on all of the domain controllers. The solution must NOT maintain passwords in 
the script. 

Which two tools should you use? (Each correct answer presents part of the solution. 
Choose two.) 


A. Active Directory Users and Computers 
B. Ntdsutil 

C. Dsamain 

D. Local Users and Groups 


Answer: B, D 


Explanation: 

B: You can also NTDSUTIL command tool to reset DSRM password. In an elevated CMD 
prompt where you have logged on as a Domain Admin, run: 

NTDSUTIL SET DSRM PASSWORD SYNC FROM DOMAIN ACCOUNT <your user 
here> Q Q D (not A): There comes a day in nearly every administrator’s life where they 
will need to boot a domain controller into DS Restore Mode. Whether it’s to perform an 
authoritative restore or fix database issues, you will need the local administrator password. 


QUESTION: 180 

A corporate network includes an Active Directory Domain Services (AD DS) forest that 
contains two domains. All servers run Windows Server 2008 R2. All domain controllers 
are configured as DNS servers. 

A standard primary zone for dev.contoso.com is stored on a member server. 

You need to ensure that all domain controllers can resolve names from the 
dev.contoso.com zone. What should you do? 


A. On one domain controller, create a stub zone. Configure the stub zone to replicate to all 
DNS servers in the forest. 

B. On one domain controller, create a stub zone. Configure the stub zone to replicate to all 
DNS servers in the domain. 

C. On one domain controller, create a conditional forwarder. Configure the conditional 
forwarder to replicate to all DNS servers in the domain. 

D. On the member server, create a secondary zone. 


Answer: A 


QUESTION: 181 

You are the network administrator for an organization that has two locations, New York 
and London. 

Each location has multiple domains but all domains fall under the same tree, 
Stellacon.com. 

Users in the NY.us.stellacon.ccom domain need to access resources in the 
London.uk.stellacon.comdomain. 

You need to reduce the amount of time it takes for authentication when users from 
NY.us.stellacon.com access resources in London.uk.stellacon.com. What can you do? 


A. Set up a one-way shortcut trust from London.uk.stellacon.com to NY.us.stellacon.com. 
B. Set up a one-way shortcut trust from NY.us.stellacon.com to London.uk.stellacon.com. 
C. Enable Universal Group Membership Caching in NY.us.stellacon.com. 

D. Enable Universal Group Membership Caching in London.uk.stellacon.com. 


Answer: A 


Explanation: 

http://technet.microsoft.com/en-us/library/cc754538.aspx 

Understanding When to Create a Shortcut Trust 

When to create a shortcut trust 

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to 
optimize the authentication process. 

Authentication requests must first travel a trust path between domain trees. In a complex 
forest this can take time, which you can reduce with shortcut trusts. A trust path is the 
series of domain trust relationships that authentication requests must traverse between any 
two domains. Shortcut trusts effectively shorten the path that authentication requests travel 
between domains that are located in two separate domain trees. 

Shortcut trusts are necessary when many users in a domain regularly log on to other 
domains in a forest. 

Using the following illustration as an example, you can form a shortcut trust between 
domain B and domain D, between domain A and domain 1, and so on. 


A 


Domain © 


C:\Documents and Settings\usernwz1\Desktop\1.PNG Using one-way trusts 

A one-way, shortcut trust that is established between two domains in separate domain trees 
can reduce the time that is necessary to fulfill authentication requests—but in only one 
direction. For example, when a oneway, shortcut trust is established between domain A and 
domain B, authentication requests that are made in domain A to domain B can use the new 
one-way trust path. However, authentication requests that are made in domain B to domain 
A must still travel the longer trust path. 

Using two-way trusts 

A two-way, shortcut trust that is established between two domains in separate domain trees 
reduces the time that is necessary to fulfill authentication requests that originate in either 
domain. For example, when a two-way trust is established between domain A and domain 
B, authentication requests that are made from either domain to the other domain can use the 
new, two-way trust path. 
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